Koozali.org: home of the SME Server

kernel: TCP: Treason uncloaked!

Offline ghorst352

  • ****
  • 180
  • +0/-0
kernel: TCP: Treason uncloaked!
« on: December 17, 2013, 07:00:51 PM »
I have for that past month been getting the kernel error "TCP: Treason uncloaked!" message.  I have googled "kernel: TCP: Treason uncloaked!" and you can find plenty of information regarding this topic however the information out there points in all different directions.  There is nothing that I can see per my logs or firewall that would point to an attack of any sort so I am siding w/ the information I see on the net possibly with the kernel version and or conflict with SME.


Here is my build: SME Server 8.0 with "all" of the important security updates as of 12/17/2013
Kernel version:  2.6.18-371.3.1.el5PAE


logfile: /var/log/messages/

Dec 17 11:26:29 mail kernel: TCP: Treason uncloaked! Peer 207.46.163.247:25/49245 shrinks window 3531356396:3531357706. Repaired.
Dec 17 11:47:34 mail kernel: TCP: Treason uncloaked! Peer 207.46.163.170:25/54824 shrinks window 2102177650:2102180270. Repaired.
Dec 17 11:47:34 mail kernel: TCP: Treason uncloaked! Peer 207.46.163.247:25/49372 shrinks window 1000342492:1000345112. Repaired.
Dec 17 11:47:35 mail kernel: TCP: Treason uncloaked! Peer 207.46.163.170:25/54824 shrinks window 2102177650:2102180270. Repaired.
Dec 17 11:47:35 mail kernel: TCP: Treason uncloaked! Peer 207.46.163.247:25/49372 shrinks window 1000342492:1000345112. Repaired.
Dec 17 12:08:03 mail kernel: TCP: Treason uncloaked! Peer 207.46.163.215:25/45964 shrinks window 2198891982:2198894602. Repaired.
Dec 17 12:08:03 mail kernel: TCP: Treason uncloaked! Peer 207.46.163.215:25/45964 shrinks window 2198891982:2198894602. Repaired.
Dec 17 12:13:33 mail kernel: TCP: Treason uncloaked! Peer 208.65.145.2:25/38244 shrinks window 2392449592:2392453267. Repaired.
Dec 17 12:13:35 mail last message repeated 2 times
Dec 17 12:15:01 mail kernel: TCP: Treason uncloaked! Peer 208.65.144.2:25/33709 shrinks window 1011027886:1011031816. Repaired.
Dec 17 12:15:09 mail last message repeated 4 times
Dec 17 12:26:46 mail kernel: TCP: Treason uncloaked! Peer 207.109.236.95:25/33026 shrinks window 870052634:870056324. Repaired.
Dec 17 12:26:49 mail last message repeated 3 times
Dec 17 12:39:11 mail kernel: TCP: Treason uncloaked! Peer 174.46.102.103:25/34263 shrinks window 777887076:777889536. Repaired.
Dec 17 12:39:12 mail kernel: TCP: Treason uncloaked! Peer 174.46.102.103:25/34264 shrinks window 899630582:899633042. Repaired.
Dec 17 12:39:12 mail kernel: TCP: Treason uncloaked! Peer 174.46.102.103:25/34264 shrinks window 899630582:899633042. Repaired.
Dec 17 12:40:14 mail kernel: TCP: Treason uncloaked! Peer 216.234.108.234:25/35908 shrinks window 665604226:665608132. Repaired.


Any help regarding this matter is appreciated  :-)


Offline Fumetto

  • *
  • 874
  • +1/-0
Re: kernel: TCP: Treason uncloaked!
« Reply #1 on: December 17, 2013, 07:38:44 PM »
The short answer is that it looks like someone is spoofing an IP, feigning a  connection to your  http and/or pop3 servers,  then setting their window size to 0 so your daemon sits there trying to send them the data  over and over (for  instance, they may  start a connection and immediately set their window to 0, so you  cannot send back the http or pop3 connection banner message).

Ddos attack?

Offline ghorst352

  • ****
  • 180
  • +0/-0
Re: kernel: TCP: Treason uncloaked!
« Reply #2 on: December 17, 2013, 07:51:14 PM »
I appreciate your feedback but I disagree with your assessment.  All of these logged kernel messages are on port 25 and this by the way is on my Email Server so this is the majority of the traffic received by this server comes from email servers relaying email.  Now I would be more suspicious and agreeing with what you said if in fact these errors were generated on different ports but I did the extra homework of tracing the ip's.  I guess I should just go ahead and file a bug report.

Offline ghorst352

  • ****
  • 180
  • +0/-0
Re: kernel: TCP: Treason uncloaked!
« Reply #3 on: December 17, 2013, 08:17:27 PM »
BUG FILED: 8068

http://bugs.contribs.org/show_bug.cgi?id=8068

pending response...